https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640575#M221949 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>,</P><P>it's used when the log is multirow.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors&nbsp;<span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P> Wed, 19 Apr 2023 12:00:31 GMT gcusello 2023-04-19T12:00:31Z https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640567#M221946 <P>I have a field called 'description'. I want to be able to extract&nbsp;<SPAN>MD5, SHA1, SHA256 values present in this field.<BR />Need help with regular expression. Here is an example of the field value. It's pretty huge. Towards the last you will notice&nbsp;MD5, SHA1, SHA256 values.<BR /><BR />Example:<BR />============<BR /></SPAN></P><P>Family: alien</P><P>alien is a credential theft malware designed to run on a mobile phone running the Android operating system. This malware will attempt to monitor the users activities and steal their data by either logging keystrokes, copying their clipboard content or applying a overlay on top of legitimate applications the malware is instructed to monitor for.</P><P>Pattern(s) extracted from web_inject config for this family:<BR /><BR />com.wf.Tubeswatermobile</P><P><BR />Infrastructure: hxxp://yektkedecaedem.shop<BR />Type: CNC</P><P>Infrastructure purpose: A CNC is the interface between the botnet and the threat actor, allowing the threat actor to send commands, exfiltrate data and manage an infected machine.</P><P>&nbsp;</P><P>&nbsp;</P><P>Virustotal Report: <A href="https://www.virustotal.com/gui/url/b2eba8fb7266c50f23d71d1ref5c5df663962eccf1420d59a14ee2hb5005f6fb/detection" target="_blank">https://www.virustotal.com/gui/url/b2eba8fb7266c50f23d71d1ref5c5df663962eccf1420d59a14ee2hb5005f6fb/detection</A></P><P>Associated Payload Hashes:<BR /><STRONG>MD5</STRONG> 9fagf968da04a2bb464f4842ebd1bd29<BR /><STRONG>SHA1</STRONG> 0bacdak9d1a7dbb975759d687645006f875a388b<BR /><STRONG>SHA256</STRONG> ba57be868c89b4a342c412c066dc58ed9a888f8009ec512917004380d8e8233e</P><P><A href="http://yeytledfcaeden.shop" target="_blank">http://yeytledfcaeden.shop</A></P><P><SPAN><BR />============</SPAN></P> Wed, 19 Apr 2023 10:50:03 GMT https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640567#M221946 zacksoft_wf 2023-04-19T10:50:03Z https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640569#M221947 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a> , try the following rex that will create 3 fields, one for each hash.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rex field=description "(?ms)MD5\s+(?&lt;md5&gt;\w+)\s+SHA1\s+(?&lt;sha1&gt;\w+)\s+SHA256\s+(?&lt;sha256&gt;\w+)"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 19 Apr 2023 10:57:33 GMT https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640569#M221947 javiergn 2023-04-19T10:57:33Z https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640571#M221948 <P>Thank you. May I ask what the "?ms"&nbsp; is for?</P> Wed, 19 Apr 2023 11:21:42 GMT https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640571#M221948 zacksoft_wf 2023-04-19T11:21:42Z https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640575#M221949 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>,</P><P>it's used when the log is multirow.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors&nbsp;<span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P> Wed, 19 Apr 2023 12:00:31 GMT https://community.splunk.com/t5/Splunk-Search/Rex-field-extraction/m-p/640575#M221949 gcusello 2023-04-19T12:00:31Z